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Abstract 


We propose sync-programs, an automata-based formalism for the 
description of biological systems, and a modular verification technique 
for such a formalism that allows properties expressed in the universal 
fragment of CTL to be verified on suitably chosen fragments of models, 
rather than on whole models. As an application we show the modelling 
of the lac operon regulation process and the modular verification of 
some properties. Verification of properties is performed by using the 
NuSMV model checker and we show that by applying our modular 
verification technique we can verify properties in shorter times than 
those necessary to verify the same properties in the whole model. 


1 Introduction 


Many formalisms originally developed by computer scientists to model sys- 
tems of interacting components have been applied to biology, also with 
extensions to allow more precise descriptions of the biological behaviours 
[4, 8, 12, 16, 32, 33]. Model checking permits the verification of properties 
of a system (expressed as logical formulas) by exploring all the possible 
behaviours of the system. It has been successfully applied to analysis of 
biological systems. Examples of well-established formal frameworks that 
can be used to model, simulate and model check descriptions of biological 
systems are [24, 22, 12]. 
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Model checking techniques have traditionally suffered from the state 
explosion problem. Standard approaches to the solution of this problem 
are based on abstractions and similar model reduction techniques (see e.g. 
[14]). Moreover, the use of Binary Decision Diagrams (BDDs) to represent 
the state spaces (symbolic model checking) often allows the tractable size 
of models to be significantly increased [6]. 


Another method for trying to avoid the state explosion problem exploits 
the natural decomposition of the system. The goal is to verify properties 
of individual components and infer that these hold in the complete system. 
This is the approach that we follow in this paper, and it can be particularly 
efficient when the modelled systems consist of a high number of components, 
whereas properties of interest deal only with a rather small subset of them 
(as often happens with biological systems). 


A class of properties whose satisfaction is preserved from the compo- 
nents to the complete system was identified in Grumberg and Long [23] 
as ACTL, the universal fragment of CTL temporal logic. A technique pro- 
posed by Attie [2] exploits the preservation of these properties in order to 
verify concurrent programs and synthesise systems from specifications. At- 
tie uses a formalism called synchronisation skeletons [13], an abstraction 
of sequential processes, suitable for describing distributed systems. The 
synchronisation skeletons are state-machines where states are connected by 
edges representing conditional transitions. The transitions can be condi- 
tioned by the states of other synchronisation skeletons. 


In this paper we propose an extension of Attie’s approach and appli- 
cation of the modular verification technique to systems biology. However, 
synchronisation skeletons are not suitable for modelling biological systems 
because of their interleaving nature. In fact, in synchronisation skeletons a 
process may perform an autonomous transition by looking at other processes 
states. 


We define sync-programs, an automata-based formalism of interactive 
systems which extends Attie’s approach by allowing processes to perform 
transitions simultaneously. Actually, we consider a very general form of 
synchronisation that allows components of a sync-program to perform a 
transition either autonomously, or by synchronising with another compo- 
nent, or by synchronising with more than one other components. This per- 
mits a wide range of interactions between biological entities to be suitably 
described. 


To be able to apply the proposed modular verification technique, the 
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systems under consideration are subject to some restrictions. In particular, 
we assume infinite behaviours over a finite number of states and fairness 
of systems. The fairness condition consists of requiring that each compo- 
nent of the system contributes to the overall behaviour with infinitely many 
transitions. 

As an example of modelling of biological systems and of modular verifi- 
cation of some properties we apply our formalism to the well-known biolog- 
ical process of lac operon gene regulation. We exploit the NuSMV model 
checker [10] to verify properties on this model by applying our modular 
verification technique. This requires translating the model into the input 
language of the verification tool. In the considered example, verifying prop- 
erties by using our modular verification technique, namely on a suitable 
portion of the model, takes much less time than verifying the same proper- 
ties on the whole model. 

The rest of this paper is organised as follows. In Section 2 we define 
the syntax and the semantics of sync-programs. In Section 3 we define and 
prove the correctness of our modular verification technique. In Section 4 
we give the model of the Jac operon gene regulation process. In Section 5 
we describe the translation of the lac operon model into the input language 
of NuSMV and show some results of verification of properties. Finally, in 
Section 6 we draw our conclusions and discuss related work and further 
developments. 

This paper is an extended and revised version of [20]. In [20] properties 
to be verified on the Jac operon model were only discussed. On the contrary, 
in the present paper we give a translation of the model into the NuSMV 
input language, we show results of verification of the properties by using the 
tool and we compare the time necessary to verify such properties by using 
our modular verification approach with respect to the time of verifying the 
same properties on the whole model. 


2 Sync-programs 


In this section we define the syntax and the semantics of the sync-programs, 
namely Attie’s synchronisation skeletons extended with synchronisation. 


2.1 Syntax 


To model biological systems, we use a component-based approach. Each 
component represents a biological entity, e.g. a protein or an enzyme. 
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We assume a finite index set IT, where an index 7 represents a unique 
identifier of a component. By I(z) we denote the set J — {i}. With a 
component with index i a set AP; of atomic propositions is associated, 
which encode the state of the component. The sets of atomic propositions 
are pairwise disjoint for all the components, i.e. if i A j then AP; AP; = 0. 

A component is modelled by using a finite state machine called a sync- 
automaton. 


Definition 1 A sync-automaton Pi , where i is a component index from 
index set I, is a tuple (S;, 59, Ri): 


e S; C P(AP;) is the set of states; 
e 9° C S; is the set of initial states; 


e R; ‘e Si x SC; x S;, where SC; ‘= P(U 
labelled moves between states. 


jer(P(AP;) x P(AP;))), are 


Each state of a sync-automaton P/ is a truth value assignment to 
atomic propositions of component C;. We denote a move from state s; to 
state t; with a label c by 5; ~; t;. The move from state s; to t; with label c 
intuitively means that automaton Pi can move from s; to t; if the activities 
of automata in I(i) satisfy condition c called a synchronisation condition. 
Definition 2 A synchronisation condition of sync-automaton (Zz is a label 
of the form {A;:B; | j € L}, where L C I(t) and Aj, B; are sets of atomic 
propositions drawn from AP; or their negations. 

LAPS B is cag Apt Be where Aji.ccci tay C1) and Ay By are: sets: of 
atomic propositions drawn from AP; or their negations. 


We denote a synchronisation condition {Aj;,:Bj,,...,Aj,:B;,,} as a for- 
mula AjepAj;:B;, where L = {j1,...,jn} and A;,B; are conjunctions of 
atomic propositions from AP;. The set L C I(i) contains indices of the 
sync-automata with which P/ wants to synchronise. For every j in L, the 
sets of propositions A; and B; are to be satisfied in the starting and end- 
ing state, respectively, of the concurrently performed move of P} . In other 
words, A;:B; in a label of a move of Pi says that every move in Pr that 


can be performed in parallel with this move of Pi is obliged to lead from 
a state satisfying A; to a state satisfying B;. It is worth mentioning that 


A; and B; need not be full descriptions of states, they can be partial and 
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thus be satisfied by more than one state. In order for the synchronisation of 
several sync-automata to actually take place, we will require that the move 
performed by each sync-automaton refers in its synchronisation condition 
to every other participating sync-automaton. 

Note that it is possible for L to be empty. Intuitively, this means 
that the considered move of sync-automaton ee does not have any require- 


ments on other sync-automata. We write a synchronisation condition of 


this form, ie. AjegAj:Bj, as NOSYNC. Move s; BLL BESIEN t; represents an 


autonomous move of yo i.e. the sync-automaton moves without performing 
synchronisation. 

In the special case that set A; is empty, we shall write true;:B;. In 
this case the sync-automaton is willing to synchronise with any move of a 
satisfying B; in the ending state. Symmetrically, if B; is empty, A; needs to 
be “matched” in the starting state, and we write A;:true;. If both A; and 
B; are empty, the sync-automaton is ready to participate in synchronisation 
with any move of P} and we write this condition as true;:true;. For the 
sake of simplicity we will always write true:B; and A;:true for true;:B; and 
A;:true;, respectively. We cannot do the same simplification on true; : true;, 
namely we cannot remove the two subscripts 7, because this would make it 
impossible to understand which is the sync-automaton the synchronisation 
condition refers to. 

Moreover, note that multiple moves between the same pair of states 
are possible. Loops are covered by the definition as well, and we use an 
abbreviation A; © for a condition of the form A;:A;. 

On fig. 1 we show an example of a sync-automaton, denoted P/,, where 
I is the index set including indices Lac, Beta, Glu and Allo. It is the sync- 
automaton that we will use to describe lactose in the lac operon model that 
we will give in Section 4. The sync-automaton has two states. For each 
state we display only the atomic propositions true in that state. There is a 
NOSYNC move between the two states representing an autonomous state 
change performed by lactose. Moreover, there are two looping moves in 
the state Lac_in, each representing synchronisation with two other sync- 
automata. In particular, Beta_high © and Beta_low © are conditions 
for synchronisation with synch-automaton P3 modelling 6-galactosidase, 
true : Glu_high and Glu_low © are conditions for synchronisation with 
synch-automaton Po modelling glucose, and true : Allo_low is a condition 
for synchronisation with synch-automaton Pie modelling allolactose. The 
inclusion of the looping move in the state Lac_out with five other sync- 
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automata will be explained later in Section 4. 


Allo_none © Atruegetg © A 
B1 © Atruegiy © A(Act A Rep) © Beta_low © Atrue:Allo_low 


& NOSYNC 


Beta_high © Atrue gi, © 
Beta_high © Atrue gu © 


Figure 1: P/ — Lactose 


lac 

Having sync-automata related by an index set, that is their synchronisa- 
tion conditions refer to sync-automata within the index set, a sync-program 
is obtained by running the sync-automata in parallel. 


Definition 3 Let I = {1,...,n} be an index set. The sync-program is a 
tuple P! = (94, P{||...||P/), where each P/ is a sync-automaton. The set 


Si =S9 x... x 9° is the set of initial states of the sync-program. 


A sync-subprogram represents the behaviour of its sync-automata in 
isolation. We obtain a sync-subprogram by projecting a sync-program onto 
an index set J C I. We denote this by the projection operator [./. 


Definition 4 Let J C I be an index set and J = {j1,..., jp}. Let P! = 
($2, P#\|...||PZ) with PJ = (S;,S°,R:) for each i € I. Then P!}J = 
(Sg, P?|| eee ||P") with ed (9;,99, Ri) for each j € J where 


e S; and SY are as in Pa 


jletngAjn Br Niter Ay By 


A 
e Ri = 13; tj | 8; >t; € Ne 


Initial states are Se = Sv xX...xX ce 


The projection contains sync-automata from J, each sync-automaton 
has the same states as its counterpart in P! but synchronisation conditions 
on their moves concern only sync-automata from J. We remark that a sync- 
subprogram P/|J is still a sync-program with index set J, hence it can be 
also denoted by PY. 

As an example, on fig. 2 there is sync-automaton P/ 


jac after projection 
onto {lac, glu}. 
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true gy © NOSYNC 


NOSYNC 


truegu O 


truegu O 


Figure 2: Pi — Lactose 


2.2 Semantics 


Let I be an index set, where J = {1,...,n}. An I-state is a tuple s = 
(S1,.--,; Sn) where each s; is a state of the sync-automaton Pee An I-state 
represents a configuration of a program. I-state s = {s1,...,5,} can be pro- 
jected onto a single component index i € I as follows: s[i = s;. Similarly, 
$ projected onto J.C J with nodés. {7i,..<,jet, 18 Slo = (Sypjs=2535y)- 
In program P! we define the type of a move, represented by function 
type : U;ey Ri — I, the index of the sync-automaton the move belongs 
to. Function types provides the same functionality on a set of moves. 

Now we can proceed to defining the semantics of sync-programs as a 
labelled transition system on I-states, called an J-structure. First, we give 
the definition of a synchronisation, which is a complete set of moves from 
different automata having all their synchronisation requirements satisfied. 


Definition 5 Let I be an index set. We call a set of moves MOV a syn- 
chronisation iff 


1. all moves in MOV are from distinct sync-automata in I 
© . 5 AjeLA;:B; 

2. ifm € MOV is of type i and has the form s; —————> t;, then for all 
j €L there is a move m' € MOV of type j and has the form s; sale tj 
and for all p € Aj: s;(p) = tt and for all p € B;: tj(p) = tt 


3. MOV is complete, i.e. if m € MOV is of type i and has the form 
ee MR. 
8; pak t;, then L = types(MOV) — {i} 


A pair of J-states such that the second state can be reached from the 
first one by carrying out the synchronisation in question is called a support 
of the synchronisation. 
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Definition 6 Let I be an index set. Consider a synchronisation MOV 
consisting of moves s; —> t; for all i € types( MOV). We call a couple of 
states (s,t) the support of synchronisation MOV iff s and t are I-states 
and 


1. s[i=s; for alli € types(MOV) 
2. thi=t; for alli € types(MOV) 


3. for alli € |I| — types(MOV): sli =t[i. 


The semantics thus is a labelled transition systems over I-states where 
the transitions between two states s and ¢ are obtained from the synchroni- 
sations with support (s,t). 


Definition 7 Let I = {1,...,n} be an index set. The semantics of P! = 
(S°, P£||...||P2) is given by the I-structure My = ($7, S59, Rr), where Sy is a 
set of I-states, S° C Sy is the set of initial states and Ry C S; x P(\I|) x Sy 
is a transition relation giving the transitions of P!. A transition (s,l,t) is 
in Ry iff there is a nonempty set MOV of moves such that | = types( MOV) 
and MOV is a synchronisation with support (s,t). 


A transition of the form (s,/,¢) corresponds to the situation where 
sync-automata with indices in / perform moves and the rest stays idle. 

The synchronisation corresponding to a transition label / may contain 
only one index, let us assume it is 7. In this case there is a move in the 
sync-automaton ae that does not require synchronisation with other sync- 
automata, i.e. set L in the synchronisation condition of such a move is 
empty. Note that the second condition of the definition of the synchroni- 
sation is satisfied vacuously. In this situation sync-automaton P/ performs 
an autonomous NOSYNC move from s{i to t/i. 

The case in which / contains more indices corresponds to the synchroni- 
sation of the sync-automata. Sync-automata with index in / can perform a 
move if all their synchronisation requirements against other sync-automata 
are satisfied. In particular, for sync-automaton PI set A; must be satisfied 
in the starting state and B; in the ending state of the transition, respectively. 
Moreover, inclusion of L in / guarantees that all the required sync-automata 
will really participate in the synchronisation. Moreover no other automata 
are in the synchronisation, thus relating the synchronisation with its sup- 
port. 
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The completeness requirement in the definition of a synchronisation 
intuitively means that in order for the synchronisation of several sync- 
automata to take place, it is necessary that the move performed by each 
sync-automaton refers in its synchronisation condition to every other par- 
ticipating sync-automaton. This also implies that it is not possible that the 
synchronisation is composed of several disjoint sets, each of which could be 
a synchronisation alone. 

As an example of a transition, suppose that J = {1,2,3} and sync- 
automaton P/ contains a eas b, PJ contains a move A , Band sync- 
automaton Pi has a move X —“. y. Then there is a synchronisation 
{a a b, A a B}, its support is ([a, A, X], [b, B, X]). Thus, Mz; contains 
a transition ({a, A, X], {1,2}, [b, B, X]) representing that sync-automata with 
indices 1 and 2 synchronise and Py remains idle. 

A transition (s,/,¢) in an J-structure can be projected onto J C I such 
that 1N J 4 @ as follows: (s,1,t)[J = (s[J,1n J,t[J). 

A concept that will allow us to reason about properties of programs, is 
that of path. 


Definition 8 Let I be an index set. A path in an I-structure My is a 
sequence of I-states and transition labels x = (s',l', s?,1?,...) such that for 
all m, (s™,1, s™*) € R;. A fullpath is a maximal path. 


A fullpath is infinite unless for some s” there is no s+! and I’ such 
that (s 1’, s™*1) € Ry. Let 7” denote the suffix of 7 starting in m-th 
I-state. 

For a J C I let us define a J-block of 7 to be a maximal subsequence 
of 7 that starts and ends in a state and does not contain a transition label 
containing any 7 such that 7 € J. Thus we can consider 7 to be a sequence 
of J-blocks with two successive J-blocks linked by a transition label / such 
that 19 J # 0 (note that a J-block can consist of a single state). It also 
follows that s|.J = t{J for any pair of states s,¢ in the same J-block. Thus, 
if Bl is a J-block, we define Bi[J to be s{J for some state s in Bl. We 
now give the formal definition of path projection. Let Bl” denote the n-th 
J-block of 7. 

Let 7 be (Bl',l', BI?,1?,...) where BI” is a J-block for all m. Then 
the path projection is given by: a[/J = (BUJU NJ, BP[ZP9J,...). 
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3 Modular Verification 


In order to analyse the behaviour of a biological system we would like to 
verify properties of computation of sync-program Pp! representing the sys- 
tem. Say that a property fy only regards part of the system, in particular 
the part involving only sync-automata from J C I. We would like to check 
satisfaction of fj on the semantics of P/. In order to avoid space explosion, 
we want to check it on a smaller and more abstract semantics, in particular 
on the semantics of P? = P!|J. The subprogram P’ abstracts from the 
behaviour of sync-automata non-present in J and poses less restrictions in 
terms of synchronisation requirements. Thus its semantics represents an 
overapproximation of the behaviour of part of P/ concerning J. 

To be able to perform the verification on the smaller semantics we need 
to prove that every computation concerning sync-automata from J of the 
program P! is present as a computation of P’. 

It is reasonable to define a computation as a fullpath in the semantics 
of the sync-program. We need to show that every fullpath in the semantics 
of P! projected onto J is a fullpath in the semantics of P’. Firstly, we 
prove that every path in M, projected onto J is a path in M,. 


Lemma 1 (Transition projection) Let I be an index set and My; = 
(Sz, Sd, Rr) the semantics of sync-program P!. For all I-states s,t in Sy 
and alll € P(L), transition (s,1,t) is in Ry iff for all J C I such that 
INJ #9, (s,1,t)[J is in Ry, where My = (S7,83,Rz) is the semantics 
of sync-program P! = P!} J. 


Proof: Direction right to left. Suppose that for any J C J such that 
INJ#9, (s,1,t)[J € Ry. By taking J = I we get (s,1,t) € Ry. 

Direction left to right. Suppose that (s,l,t) € Rz, we will show 
(s,l,t)[J © Ry for any J CI such that INT £0. 

From the definition of the semantics of sync-program P! we have that 
there is a synchronisation MOV with support (s, ¢) such that types( MOV) = 
1. We need to show that in M, there is a synchronisation MOV’ with 


support (s[J,t[J) such that types(MOV') = 19 J. Let us consider the 
cay AB: 
set MOV' = {s; ti | 5; SAL EL t; € MOV andi € J}. Since 


IN J #0, MOV’ is not empty. Then 


AjeLtngA;:B; 
—————> 


e all moves are from distinct automata, because it was so in MOV. 
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Nj eLAj:B; 
e if m € MOV’ is of type 7 and has the form s; pichsees Ae t;, then for 


all 7 € LN J there is a move m’ € MOV’ of type j and has the form 
8; = t; and for all p € Aj: s;(p) = tt and for all p € B;: t;(p) = tt. 
In particular it is the move s; es t; where se’; = AjrerinsAj:B; if 
8Cj = Ajeet Aj:B;. 


e the completeness of MOV’ comes from the completeness of MOV. 


Hence, by definition of a synchronisation MOV’ is a synchronisation in P’. 
Moreover, since for all i € J —1: s[t =t[1, it holds for subset JN (J — 1) = 
J—JQl. That means that (s[J,t/J) is the support of synchronisation 
MOV’ in P’. Also, types(MOV’) =10 J. Thus, by definition of semantics 
of P’ the tuple (s[J,1N J,t[J) = (s,1,t)[J is in Ry. 


Lemma 2 (Path projection) Let I be an index set and My; semantics of 
sync-program P!. For every J CI ifm is a path in My then r[J is a path 
in Mz, where M, is the semantics of sync-program P? = P!} J. 


Proof: Let 7 = (Bl',l', BI’, I?,...) be a path in (M); and BI J-blocks 
for all m. By s™ and t™ denote first and last state of Bl’, respectively. 
By definition of J-structure we have that transition (¢”,1,s’*+) is in. M; 
for all m. By transition projection lemma transition (t”,1,s™t!)[J = 
(¢t™( TI" O J,s™*[J) is in My for all m. Now since s™[J = t[J for all 
m, we get that (s’™[J,I7 9 J,s™*+1[J) in My for all m. Hence sequence 
(st[J,UOJ,s7[J,P2 0 J,...) satisfies the definition of a path in M). 

However, with computation defined as a fullpath, violation of the de- 
sired computation preservation might occur. In particular, violation arises 
when an independent partition P of sync-program P! exists that can be exe- 
cuted forever, while not allowing execution of other enabled sync-automata 
outside P. Consider a fullpath a in My; and a state t from which only sync- 
automata in P are executed. When projecting 7 onto J = (I— P) composed 
only of idle sync-automata, a finite path | J is obtained. However, as in t 
some automata from J are enabled but not executed, in M, they can be 
executed and thus a path ending in t/J is not a fullpath. Hence, 7 is a 
computation of P! but [J is not computation of P’. 

We need to refine the definition of computation, so that for all J a 
computation of P/! projected onto J will be a computation in P’. We 
restrict ourselves to a special class of “fair” computations, in particular 
those in which every sync-automaton is executed infinitely many times. We 
define fairness as a property of paths in Mr. 
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Definition 9 A path 7 = (s',l',s?,I?,...) in Mz is fair iff for alli € I we 
have that {m |i El} is infinite. 


Note that every fair path is infinite and each component involved in a 
fair path must have an infinite behaviour. Finite behaviours of components 
can be simulated by adding looping moves to the final states. 

For the systems we aim to describe, the fairness assumption is rea- 
sonable since we regard a behaviour of biological system correct when all 
components are able to perform their function. Moreover, there is a class 
of systems where all fullpaths are fair, we provide a non-trivial example of 
such a system in Section 4. 

We remark, that transient behaviour of the system can be studied by 
considering only a portion of its infinite behaviour. 

Now we prove, that this definition of fairness guarantees preservation 
of computation under projection. 


Lemma 3 (Fullpath projection) Let J C I be an index set. If 7 is a 
fair fullpath in Mz, then r[J is a fair fullpath in Mj. 


Proof: By path projection lemma z|[J it is a path in M,. Since z is a 
fair path in My, by definition of path projection we get that 7/J is a fair 
path in M,. From the definition of fairness follows that every fair path is 
infinite, i.e. it is a fullpath. 


Now we exploit the fullpath projection lemma to prove that behavioural 
properties expressed in a suitable logic that hold in a semantics of sync- 
subprogram also hold in the original sync-program. The logic we will con- 
sider is a fragment of the Computation Tree Logic CTL* which is an exten- 
sion of classical logic that allows reasoning about an infinite tree of state 
transitions. It uses operators about branches (non-deterministic choices) 
and time (state transitions). Two path quantifiers A and E are thus in- 
troduced to handle non-determinism: Af meaning that f is true on all 
branches, and Ef that it is true on at least one branch. The time opera- 
tors are F,G,X,U and Uy; Xf meaning f is true at the next transition, 
Gf that f is always true, Ff that f is eventually true, fUg meaning f is 
always true until g becomes true, and fU,g meaning f is always true until 
g might become true. In this logic, Ff is equivalent to trueUf, fWg to 
(fUg) V Gf. We have the following duality properties: =(E(f)) = A(-f), 
“(F(f)) = G(-f), 7GUg) = (-gUwf). 
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The Computation Tree Logic CTL is the fragment of CTL* where each 
temporal operator must be preceded by a path operator, and each path 
operator has to be immediately followed by a temporal operator. 

Following Attie, we assume the logic ACTL™ for specification of prop- 
erties. ACTL is the “universal fragment” of CTL which results from CTL 
by restricting negation to propositions and eliminating the existential path 
quantifier and ACTL™ is ACTL without the AX modality. 


Definition 10 The syntax of ACTL™ is defined inductively as follows: 


e The constants true and false are formulae. p and 7p are formulae for 
any atomic proposition p. 


e If f,g are formulae, then so are f \g and f Vg. 
e If f,g are formulae, then so are AX; f, A[fUg] and A[f Uwg]. 


We define the logic ACTL; to be ACTL™ where the atomic propo- 
sitions are drawn from AP; = {AP; | ie J}. Abbreviations in ACTL™: 
AFf = Altrue Uf] and AGf = Alf Uwfalse]. 

Properties expressible by ACTL™ formulae represent a significant class 
of properties investigated in systems biology literature as identified in [29], 
such as properties concerning exclusion (It is not possible for a state S to 
occur), necessary consequence (If a state S; occurs, then it is necessarily 
followed by a state Sy), and necessary persistence (A state S must persist 
indefinitely). Oscillatory behaviour [7] is describable by an ACTL™ formula 
as well. 

Occurrence, possible consequence, sequence and possible persistence 
are of inherently existential nature, and are not expressible in ACTL™. 

Definition of the semantics of ACTL™ formulae on the J-structure fol- 
lows. Note that only fair fullpaths are considered. 


Definition 11 Semantics of ACTL~. We define M;,s f (resp. Mz,7F 
f) meaning that f is true in structure My at state s (resp fair fullpath 7). 
We define F inductively: 


e Mr,sF true. Mz,s% false. Mr,s— p iff s(p) = tt. 
My, 8 F —p iff s(p) = ff. 


e M,,sEfAg iff M;,sF f andMy,,sF g. 
M,,sEfVg iff MrsF f orMyz,sk g. 
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e M,,st Af iff for every fair fullpath 7 = (s,U',...) in Mz: 
My,,7 FE f. 


eo M,,7F f iff M1,5F f, where s is the first state of 7 


eM,nEfAgifMr,7E f andM,,7 Fg. 
M,,nE f Vg iff Mz,a0F f or My,7F g. 


e M,,7F— fUg iff there exists m € N such that M;,n™ F g 
and for allm' <m:My,7r™ E f. 


e M,,7F fUwg iff for allm EN, if Mz,n™ # g 
for all m' <m then Mz,7™F§ f. 


Now we give the main theorem of the paper which states that all 
ACTL™ properties that hold in M, also hold in My. 


Theorem 1 (Property preservation) Let J C I be an index set, s an 
I-state and f an ACTL property. If Mj,s|JF f then M7,8F f. 


Proof: By induction on the structure of f (for all s). 

f =p. By definition of state projection and the fact that APj;s 
are pairwise disjoint, for all atomic propositions p from AP, we get that 
My,,s/J Ep iff M;,s& p. Analogously for f = =p. 

f = gh. From the assumption M,,s/ JF g Ah by CTL semantics, 
My,,s[J — g and M,,s[J — h. By induction hypothesis M;,s F g and 
My,,sFh. Hence, M;,sEgAh. Case f =gVh is proved analogously. 

f = AlgUwh|. Let a be an arbitrary fair fullpath starting in s. We es- 
tablish M,, 7 F [gUwh]. By fullpath projection lemma z{J is a fair fullpath 
in Mj, hence by the assumption M,7[JF [gU,,h]. There are two cases: 


1. Mj,7[J — Gg. Let t be any state along 7. By CTL semantics 
M,,t|J& g. by induction hypothesis we have M7,t F g. Since t was 
an arbitrary state of 7, we get M;,7F Gg and thus M,;,7F gUwh. 


2. My,n[J & [gUh]. Let s'” be the first state along 7[J that satisfies h. 
Then there is at least one state s”” along m such that s™’ [J = gee, 
Let s” be first such state. By induction hypothesis M,,s” F h. 
From the definition of path projection any s’” with m < m’ projects 
to s™|J that is before st in z[J. By the assumption Mj, s™|JF g, 
hence by induction hypothesis M7;,s™ F- g. By CTL semantics we get 
My, F guh. 
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In both cases we showed M7,7aF gU,,h. Since 7 was arbitrary fair fullpath 
starting in s, we conclude M,,s — A[gU,,hl. 

f = AlgUh]. Let a be an arbitrary fair fullpath starting in s. By full- 
path projection lemma | J is a fair fullpath in M, and by the assumption 
M,,7/J = [gUh]. By the above case we get s F A[gUh]. 


4 Application 
In this section we give a model of the Jac operon regulation process in terms 


of a sync-program. Our model is inspired by the CCS model of the same 
process given in [31]. 


4.1 Lac Operon Regulation 


a “ 
iy 
> 
LL» giycolysis 


Figure 3: A diagram of lac operon regulation [18] 


Bacteria have a simple general mechanism for coordinating the regula- 
tion of genes encoding products that participate in a set of related processes: 
these genes are clustered on the chromosome and are transcribed together. 
The gene cluster plus additional sequences that function together in regula- 
tion are called an operon [25]. 

The lac operon (see fig. 3) contains three genes related to lactose 
metabolism. The lac Z, Y and A genes encode {-galactosidase, galactoside 
permease and thiogalactoside transacetylase, respectively. 6-galactosidase 
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converts lactose to galactose and glucose or to allolactose. Galactoside per- 
mease transports lactose into the cell and thiogalactoside transacetylase 
appears to modify toxic galactosides to facilitate their removal from the 
cell. 

In the absence of lactose, the Jac operon genes are repressed, namely 
they are transcribed at a basal level. This negative regulation is done by 
a molecule called Lac repressor, which binds to the operon, blocking the 
activity of RNA polymerase. The binding sites are called operators, the 
main operator is named O,. The lac operon has two secondary binding 
sites for the Lac repressor: O2 and O3. To repress the operon, the Lac 
repressor binds to both the main operator and one of the two secondary 
sites. 

When cells are provided with lactose, the lac operon is induced. An 
inducer molecule binds to a specific site on the Lac repressor, causing disso- 
ciation of the repressor from the operators. The inducer in the lac operon 
system is allolactose, an isomer of lactose. When unrepressed, transcription 
of lac genes is increased, but not at its highest level. 

In addition, availability of glucose, the preferred energy source of bacte- 
ria, affects the expression of the lac genes. Expressing the genes for proteins 
that metabolise sugars such as lactose is wasteful when glucose is abundant. 
The Jac operon deals with it through a positive regulation. The effect of glu- 
cose is mediated by cAMP, as a coactivator, and an activator protein known 
as cAMP receptor protein (CRP). When glucose is absent, CRP-cAMP 
binds to a site near the lac promoter and stimulates RNA transcription. 
In the presence of glucose, the synthesis of cAMP is inhibited and cAMP 
declines. Binding to DNA declines, thereby decreasing the expression of the 
lac operon. 

CRP-cAMP is therefore a positive regulatory element responsive to 
glucose levels, whereas the Lac repressor is a negative regulatory element 
responsive to lactose. Consequently, strong induction of the lac operon 
requires both lactose (to inactivate the Lac repressor) and a lowered con- 
centration of glucose (to trigger an increase in cAMP and increase binding 
of cAMP to CRP). 


4.2 The Model 


We will fix the index set I = {lac, (, allo, op, rep, pos, glu} representing lac- 
tose, G-galactosidase, allolactose, lac operon, repressor, CRP-cAMP regula- 
tion and glucose, respectively. For the sake of simplicity we do not model 


Modular Verification of Interactive Systems 
with an Application to Biology 55 


the activities of galactoside permease and thiogalactoside transacetylase. 

We provide a sync-automaton for each biological component. In par- 
ticular lactose is modelled by Pie with APige = {Lac_none, Lac_low}, B- 
galactosidase by P} with AP, = {Betalow, Beta_high} and allolactose 
by Pl with AP ayo = {Allo_none, Allolow}. The lac operon is repre- 
sented by tee with AP,, = {Act, Rep}, the lac repressor by Pies with 
AP rep = {B1, B2, B3, Ballo}, the positive regulation by Piss with AP pos = 
{cAMP_high, CRP—cAMP} and finally glucose is represented by ae with 
AP gu = {Glu_high, Glulow}. 

Sync-automaton Pe (fig. 1 in Section 2) has two states, mappings of 
the set of atomic propositions AP jg. to {tt, ff}. For each state we display 
only the atomic propositions true in that state. Initially, there is no lactose 
in the cell. The scenario of the lactose never entering the cell is represented 
by the looping move in the state lac_out. This move synchronises with 
looping moves in other sync-automata representing the state corresponding 
to such a behaviour. The requirement of synchronisation with the other 
sync-automata is due to fairness, since no sync-automaton is allowed to 
remain blocked. External lactose entering the cell is modelled asa NOS YNC 
move because it is caused by mechanisms that are not considered in our 
model. Once inside the cell, lactose is transformed in the presence of (- 
galactosidase to glucose. This is modelled as a synchronisation with Pie 
and P3 . On the other hand, when the enzyme (-galactosidase is absent, 
lactose is transformed to allolactose and it is non-deterministically decided 
whether all the lactose is consumed. 

In sync-automaton P3 (fig. 4) 6-galactosidase has two states represent- 
ing its concentration level which are affected by activation and repression 
of lac operon ae When reacting with lactose, this enzyme, at low level, 
can produce allolactose or, at high level, can produce glucose and galactose. 
Since galactose does not participate in regulation we do not include it in 
our model. The change in the level of 6-galactosidase is caused by the full 
expression of the operon, and that is done via two channels, positive and 
negative regulation. If lactose never enters the cell, G-galactosidase level 
remains low. 

Allolactose P4),, (fig. 5) can be present at low concentration in the 
cell or be absent. Its level is increased as a result of the reaction of lactose 
with the 6-galactosidase enzyme. When present, it can bind to lac repressor 
Piss and its concentration will reduce. Allolactose remains absent, if lactose 
never enters the cell. 
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Lac_in © Atrue:Allo_low true:(Act A Rep) A true:-B1 Lac-in:true \ true_glu © 


true:(Act A ~Rep) \ >CRP—cAMP:CRP—cAMP 


Beta_high 


(Act A +Rep):true \ CRP—cAMP:>CRP—cAMP 


Allo_none © ALac_out © A (Act A aRep):true \ ~B1:true 
B1 © Atruegy, © \(Act A Rep) © 


Figure 4: P} — G-galactosidase 


Lac_out © Atrue peta © A 
B1 © Atrue gn, © A(Act A Rep) © Lac-in © ABeta_low © 


Lac_in © \Beta_low © 


aBAllo: BAllo 


Figure 5: Ps — Allolactose 


The lac operon eee (fig. 6) has four states, all possible truth value 
assignments to AP,,. Atomic propositions Act, Rep represent that the lac 
operon activated and repressed, respectively. Repression and unrepression 
(horizontal moves on fig. 6) are determined by negative regulation Pe while 
activation and inactivation (vertical moves on fig. 6) by positive regulation 
Pigs Note that full transcription of the operon genes occurs only when both 
unrepressed and activated (state Act, Rep). This state also determines the 
concentration of -galactosidase. Note that the absence of lactose makes the 
operon persist in the active but repressed state. 

The lac repressor Pics (fig. 7) has five states. After binding of lac 
repressor protein to QO; site, it might bind either to the Og or O3 sites. 
The level of beta-galactosidase may be decreased if it was high before the 
binding. These bindings repress the operon. When the inducer allolactose 
binds to the repressor, it releases the operator sites and unrepresses the 
operon, possibly changing the level of $-galactosidase. If allolactose does 
not bind, a looping move occurs. 

The positive regulation PJ,, (fig. 8) works as follows. When glucose 
level is low, cAMP concentration will be increased. Coactivator CRP cre- 
ates a complex CRP-cAMP that binds to lac operon, stimulating the tran- 


scription. When the glucose concentration is increased, cAMP level will 
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Figure 6: sees — Lac operon 
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Figure 7: PZ 


epr ~ Lac repressor protein (Negative regulation) 


decrease and CRP-cAMP releases the operon site, deactivating the tran- 
scription. Depending on the state of the operon, the level of G-galactosidase 
can be affected. 


In Pi (fig. 9) glucose concentration can be high or low. The decrease 
of its concentration depends on factors that are not modelled. The increase 
of the concentration can occur via reaction of lactose and 6-galactosidase. 
It is nondeterministically decided when the concentration level of glucose is 
considered high enough to pass to the state high. In addition, this compo- 
nent can be queried for the concentration level by ee The lack of inner 
lactose makes the glucose level remain unchanged. 


The sync-program describing the whole system is obtained by running 
all sync-automata in parallel P! = (Sars | P3 l Patol|Pop||Prepr || Pos || Panz)- 


lac a 
The set of initial states is a combination of the sets of initial states of re- 
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Figure 8: ie — CRP-cAMP (Positive regulation) 
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Figure 9: eee — Glucose 


spective sync-automata. 


5 Verification of Properties with NuSMV 


In this section we shortly describe the NuSMV model checker, we present 
the translation of our model of the Jac operon regulation process into the 
NuSMV input language and we show some results of property verification. 


5.1 The Tool NuSMV 


The NuSMV model checker [10] is a well-established and efficient symbolic 
model checker for Finite State Machines (FSMs). It is particularly suitable 
to be used in the specification and verification of sync-programs since its 
input language provides for modular descriptions and since it accepts CTL 
(that includes ACTL7) as the language for property specification. Hence, 
NuSMV can be used both to verify CTL properties on sync-programs in the 
traditional way and to verify ACTL™ properties by following the modular 
approach. 

The input language can be used to describe systems in three different 
styles: as a synchronous system, as an asynchronous system, and by means 
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of a direct specification of the FSM. We shortly describe only the latter 
style, since it is the one we will use in the translation of our example model. 

A direct specification of a FSM in NuSMV may consist of several mod- 
ules that may have parameters. One module is called main, and it is the 
root of the model. As an example consider the following simple NuSMV 
model consisting of two modules: main and proc. 


MODULE main 
VAR 
pl : proc(p2.mutex) ; 
p2 : proc(pi.mutex) ; 


MODULE proc (other) 
VAR 
mutex : boolean; 
DEFINE 
free := !other & !mutex; 
INIT 
mutex : FALSE; 
TRANS 
free & next(mutex) | mutex & next(!mutex); 


The example describes two processes willing to access some resource in mu- 
tual exclusion. In module main we have two variables (defined in the VAR 
section of the module) p1 and p2 corresponding to the two processes. In 
module proc we have one boolean variable mutex that is true if the process 
is accessing the resource. The formal parameter other is a reference to the 
mutex variable of the other process (as it is stated in module main). In sec- 
tion DEFINE it is possible to define some macros (or shortcuts): in this case 
we define the macro free corresponding to !other & !mutex that is true if 
and only if neither of the two processes is accessing the resource (note that 
!, & and | represent negation, conjunction and disjunction, respectively). In 
section INIT the initial values of variables can be set (in this case mutex is 
set to false). Finally, in section TRANS a propositional formula can be given 
to specify the transition relation of the FSM. The formula can refer to the 
values of the variables before and after (by using the keyword next) the ex- 
ecution of the transition. In the example we have two possible transitions: 
the first from a state satisfying free to a state in which mutex is set to true, 
and the second from a state in which mutex holds to a state in which it is 
set to false. 


60 P. Drabik, A. Maggiolo-Schettini, P. Milazzo 


This example of NuSMV model does not work as expected. In fact, 
the semantics of the language is such that transitions concerning different 
modules are performed in parallel. This causes the two processes p1 and 
p2 to be able to set their own mutex variables to true in the same step. 
This problem has to be solved by adding an extra module which chooses 
at each step which module is to perform the transition, thus simulating 
asynchronous behaviour. Moreover, the fairness is implemented on the level 
of the selector. When once a process is selected it must perform a transition, 
it is enough to schedule the processes infinitely often. 


5.2 Ad Hoc Translation of the Example 


Now we introduce the translation of our model into the NuSMV input lan- 
guage. The objective is to give one module for each sync-automaton plus a 
selector module for simulating asynchronous behaviour and the main mod- 
ule. 

We give one module for each of the sync-automata. For example to 


P! corresponds the module 


glu 
MODULE gluMod(...) 


Each module is provided by a list of formal arguments, these will be dis- 
cussed later in this section. 

In the module, there are essentially three kinds of variables. The 
first are variables corresponding to the atomic propositions of the sync- 
automaton. 


VAR 
glu_high : boolean; 


Moreover, there are variables that express the fact that an atomic proposi- 
tion is true in a state reachable in one move from the current state. 


toGlu_low : boolean; 


We call these variables to-variables. Lastly, there are module-specific vari- 
ables true_glu and toTrue_glu that are used in our encoding of the au- 
tomaton. 

We define macros for specifying the states of the module. These states 
consist of a conjunction of variables or their negations, where all the vari- 
ables are listed. The states are of two types. The first are states correspond- 
ing to the states of the sync-automaton, having all to-variables false. 
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DEFINE 
statel := glu_high & !toGlu_high & !glu_low & !toGlu_low 
& !'dummy & !toTrue_glu; 


Then there are so-called intermediate states. For every distinct move in the 
sync-automaton, there is one distinct corresponding intermediate state in 
the module. For example, for the move from state {Glu_low, =Glu_high} 
to {>Glu_low, Glu_high} there is a corresponding intermediate state. The 
variables corresponding to the atomic propositions match the corresponding 
automaton state — source of the move. The assignment to the to-variables 
corresponds to the target of the move in the sync-automaton. 


state7 := !glu_high & toGlu_high & glu_low & !toGlu_low 
& !'dummy & toTrue_glu; 


Note that for every move between two states in the sync-automaton we 
need a distinct intermediate state in the module. This is assured by an 
extra variable dummy that is true exclusively in this intermediate state. If 
necessary, there can be more dummy variables in the module. For an exam- 
ple of extra variables, in order to distinguish between the two intermediate 
states corresponding to the two looping moves from { Glu_low, >Glu_high}, 
we have 


state6 := !glu_high & !toGlu_high & glu_low & toGlu_low 
& dummy & toTrue_glu; 


whereas stated is identical with only one difference, that dummy is negated. 
Some of the states are chosen to be initial: 


INIT 
statel 


The transitions of the program are made so that only one synchronisa- 
tion of the modules is carried out at a time. A synchronisation is performed 
by a series of separate transitions of participating modules, one module at 
a time, in a specific order. For this purpose we assume an order of the 
modules. It can be arbitrary but fixed and we choose the order alloMod, 
betaMod, posMod, gluMod, lacMod, opMod, reprMod. 

First, all the participating modules conduct the transition to the re- 
spective intermediate states. After finishing the first round, the second 
transition leads to the respective target states. Throughout the whole op- 
eration all non-participating modules cannot perform any move. Moreover, 
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the modules that successfully arrived in the target state will not leave that 
state until the synchronisation is finished, thus making it a sort of transac- 
tion. 

In order to guarantee the above scenario, a move of an automaton 
has to be simulated by two transitions of the corresponding module. The 
first transition, from the source to the intermediate state has to wait until 
all the suitable transitions of modules preceding it in the order have been 
performed, and no other transition has been made in the system. 

For example: the loop move in state {=Glu_low, Glu_high} is trans- 
lated to two transitions in the module gluMod. First, transition from state1 
to state2 has to wait for the transition of module betaMod that is earlier 
in the order, precisely following the move’s synchronisation condition. This 
is expressed by the condition in macro 


pi2 := beta_high & toBeta_high & lac_in; 


The other part of the condition says that the remaining module, participat- 
ing in this move but later in the order has to be ready for the transition. 
Moreover, all modules except for those participating on the synchronisation 
that precede the current module in the order, must not be in a to-state, as 
expressed by the following macro 


ni2 := _toTrue_allo & toTrue_beta & _toTrue_pos & 
_toTrue_glu & _toTrue_lac & _toTrue_op & _toTrue_repr; 


where toTrue_mod is a variable that is true precisely in all to-states of 
module mod. Note that we use an underscored variable in order to denote the 
negation of a variable, instead of using the language construct of negation 
!. The reason for keeping distinct the variable and its negation will be clear 
at the end of this subsection. 

The transition itself is expressed as 


statel & p12 & n12 & next (state3) 


As for the second move, analogously, the module has to check that all 
the preceding modules have arrived to the target state and the following 
modules are the only one waiting for the execution i.e. in a to-state. 


state3 & p31 & n31 & next(statel) 


Individual expressions of all the possible transitions connected into a dis- 
junction form a characterisation of the transition relation in the section 
TRANS of the code. 
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In the case of the translation of a NOSYNC move, both transitions 
are only conditioned by TRUE. If a synchronisation condition refers to true; 
for some index 7 the translation operates with conditions using true_i and 
toTrue_i. 

In the module main we instantiate all of the modules, passing the vari- 
ables of all other modules as parameters to each module. 


MODULE main 
VAR 
glu : gluMod(allo.allo_low,!allo.allo_low,... 


Note that allo.allo_low is passed to formal parameter allo_low in mod- 
ule gluMod and its negation to the formal parameter _allo_low. The reason 
for keeping these parameters distinct is facilitating the creation of transla- 
tion corresponding to a sync-subprogram obtained by means of a projection. 
For example, to get the sync-subprogram obtained by projecting the model 
to {op, rep}, we only need to initialise modules op and repr in the same 
manner as before, but with all references to modules outside of the projec- 
tion substituted with TRUE. In this way the synchronisation conditions of 
modules outside of the projection become superfluous. 

The NuSMV source code obtained by the translation of our lac operon 
model can be found online [17], along with the examples from the following 
section. 


5.3 Experiments 


We check some known properties of lac operon regulation. The checking is 
performed by the tool NuSMV on the translations of the indicated subpro- 
grams. 

To guarantee that the properties are verified only in the states of the 
translated program that correspond to actual states of the sync-program, we 
need to guide the evaluation of satisfaction of atomic propositions to states 
that are not to-states. For this reason, each subformula f of an until formula 
A[f U gj has to be changed to stoTrue — f, where toTrue = \/,<; toTrue; 
and each subformula g has to be changed to atoTrue/Ag. We have to change 
subformulae of the weak until formula A|f Uy g| analogously. 

Theoretically, satisfaction of a property on M, for J C I guarantees its 
satisfaction in M,;. Analogously, from the practical point of view, positive 
result of model checking of a property on a projection of a model implies 
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its truth in the entire model. 


The property (P1) “The allolactose bound to the repressor implies that 
the operon is repressed” expressed by ACTL™ formula 


AG(Ballo > Rep) (P1) 
is translated by fortran to 
AG(-=toTrue — (Ballo + Rep)) (P1’) 


which is in the NuSMV syntax written as 
AG( notToTrue -> (repr.ballo -> op.rep) ) (P1’) 


is verified in the synchronisation skeleton representing the sync-subprogram 
P?:rePr in less then 0.1 seconds. 


NuSMV > check_ctlspec -p "AG(notToTrue->(repr.ballo->op.rep))" 
-- specification AG(notToTrue->(repr.ballo->op.rep)) is true 
NuSMV > time 

elapse: 0.5 seconds 

NuSMV > print_usage 

BDD nodes allocated: 174750 


In comparison, the verification in the whole model would take 0.5 seconds. 


The property (P2) “The increase of allolactose concentration can only 
be mediated by G-galactosidase in low concentration” encoded in NuSMV as 


AG( notToTrue -> (allo.allo_none & beta.beta high -> 
A[!allo.allo_low U beta.beta_low]) ) (P2’) 


is verified in the synchronisation skeleton representing the sync-subprogram 
P.8 in less than 0.1 seconds. In comparison, the verification in the whole 
model would take 0.4 seconds. 


The oscillation property (P3) “While lactose is inside the cell, the 
operon will necessarily oscillate between a repressed and an unrepressed 
state” encoded in NuSMV the global satisfaction of the conjunction of the 
following two formulae 
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(op.rep -> (AF (notToTrue & !op.rep) | 
Al(notToTrue -> AF(notToTrue & !op.rep)) U 
(notToTrue & !lac.lac_in)] )) (P3a’) 


and 


(lop.rep -> (AF (motToTrue & op.rep) | 
AC(@otToTrue -> AF(notToTrue & op.rep)) U 
(notToTrue & !lac.lac_in)] )) (P3b’) 


Hence, the Property (P3) encoded in NuSMV is 
AG((P3a’) & (P3b’)) (P3’) 


This property is verified in the synchronisation skeleton representing the 
sync-subprogram P%!4¢°P:rePr in 0.1 seconds as instead of 1.2 seconds in 
the whole model. 


The correctness property (P4) “When the glucose concentration drops 
and lactose is inside the cell, the lac operon will eventually be fully expressed” 
encoded in NuSMV as 


AG(notToTrue -> (glu.glu_low & lac.lac_in -> 
AF(notToTrue & op.act & !op.rep))) (P4’) 


is verified in the synchronisation skeleton program P* in 0.9 seconds. 
The negative regulation correctness property (P5) “When glucose con- 


centration is low, the lac operon will eventually be unrepressed” encoded in 
NuSMV as 


AG (notToTrue-> 
(lac.lac_in & op.rep-> AF(notToTrue & !op.rep))) (P5’) 


is verified in the synchronisation skeleton representing the sync-subprogram 
PP, lac,op,repr in 0,1 seconds (cf. 0.7s). 


The positive regulation correctness property (P6) “When glucose con- 
centration is low, the lac operon will eventually be activated” encoded in 
NuSMV as 


AG(notToTrue-> 
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Whole model Modular 
Property | Time | BDD size | Time | BDD size 
(P1’) 0.4s | 174750 nodes | <0.1s | 3271 nodes 
(P27) 0.4s | 180278 nodes | <0.1s | 1991 nodes 
(P3’) 1.2s | 326908 nodes | 0.1s | 35269 nodes 
(P4’) 0.9s | 283614 nodes | 0.9s | 283614 nodes 
(P5’) 0.7s | 256112 nodes |} 0.1s | 29193 nodes 
(P6’) 0.6s | 222511 nodes | 0.1s | 21442 nodes 


Table 1: Comparison of whole model verification with modular verification 


(glu.glu_low & !op.act-> AF(notToTrue& op.act))) (P6’) 


is verified in the synchronisation skeleton representing the sync-subprogram 
P#:lac,op.repr in 0.1 seconds (cf. 0.6s). 


Verification of properties on model fragments obtained by projecting on 
a subset of the system components takes much less time than verification of 
the same properties on the whole model. We compare in Table 1 the time 
necessary to verify the considered properties on the whole model and on 
the suitable model fragment we have identified. The table shows that the 
increase of efficiency of modular verification with respect to verification on 
the whole model can be significant, depending on the number of components 
to be involved in the modular verification. 


Another value that is compared in the table is the size of the data 
structure used by the model checker (a Binary Decision Diagram — BDD). 
Again, the use of smaller models in the modular verification approach al- 
lows smaller data structures to be used for the representation of the state 
space. This is another important aspect of modular verification, which may 
permit verification of properties of systems whose complete behaviour rep- 
resentation would require data structures that could be too big to fit in the 
memory of a computer. 


The worst case in modular verification of a property is the case in which 
all of the system components are necessary to verify it (as in the case of 
property (P4’)). In this case modular verification coincides with verification 
on the whole model. 


Modular Verification of Interactive Systems 
with an Application to Biology 67 


6 Discussion and Conclusions 


We have presented a framework for modelling and modular verification 
of properties of biological systems. In particular we have developed an 
automata-based formalism of interactive systems that allows system com- 
ponents to perform transitions simultaneously in a rather general way. More- 
over we have developed a modular verification technique for such a formal- 
ism that allows properties expressed in the universal fragment of CTL to be 
verified on suitably chosen fragments of models. As an application we have 
shown the modelling of the lac operon regulation process and the modular 
verification of some properties. 

Our formalism, sync-programs, is a form of interacting finite-state au- 
tomata which bears similarities with other formalisms, such as I/O au- 
tomata [28], Team automata [26], interacting automata [9] and communities 
of interacting automata [27]. We have defined our formalism upon finite au- 
tomata, since they are in particular connected with clear mathematical se- 
mantics, systems visualisation and decidability of many crucial behavioural 
properties [27]. Differently from most of the other definitions of interact- 
ing automata, which are based on environmental events or communication 
channels, we have employed state-based synchronisation conditions. This 
choice was motivated by the explicit aim of property verification and by 
the close relation to synchronisation skeletons, the shared-memory model 
used by Attie[2]. Finally, we have chosen the synchronisation among an 
arbitrary number of components, rather than a 2-way synchronisation, in 
order to allow a more natural modelling of biological phenomena. Multi-way 
synchronisation is used by several other formalisms, such as [26, 1, 34]. 

In the definition of our modular verification technique we have followed 
the “property preservation” approach, namely that truth of ACTL™ formu- 
lae is preserved from sync-subprograms to the program. This has been 
originally considered by Grumberg and Long [23] and Dams [15] in different 
contexts. Other approaches to modular verification infer properties of a 
system from some properties of its components, e.g. [26] and [30]. 

Our technique is based on projections which can also be seen as a form 
of property-driven model reduction. Similar reduction methods have been 
proposed in [3, 5]. Differently from the other proposals, we operate on the 
syntax of the model rather than on its semantics. 

The property preservation ensures that the truth of ACTL™ is pre- 
served from sync-subprograms to the program. Failure to verify a property 
in sync-subprograms does not help in establishing its satisfaction in the 
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whole program. However, it is worth noting, that in some cases model in- 
spection aids finding a larger sync-subprogram that allows for successful 
verification of the property. Preservation of falsehood of ACTL~ formulas 
amounts to full CTL preservation and can be obtained only under bisimi- 
larity [15]. For application in systems biology see [31]. 


The ACTL™ logic includes only universally quantified formulae. Preser- 
vation of these properties is guaranteed by the fact that the projection op- 
eration yields a reduced model that represents an overapproximation of the 
system behaviour. In order to preserve the satisfaction of existentially quan- 
tified formulae, such as EF'g or E(gUf) (as done in [15] in the context of 
abstract interpretation), one would need a different definition of the pro- 
jection operation resulting in an underapproximation. Also in this case, 
however, the technique presents the problem of false negatives as they can 
be avoided only under bisimilarity between the whole and reduced models 
[15]. 

In the present work, we have only considered a fixed number of compo- 
nents. Since in biological systems it is often the case that the components 
are created and destroyed dynamically, we have developed in [19] an exten- 
sion of our formalism with run-time creation of sync-automata. Such an 
extension allows several copies of sync-automata of the same type to be en- 
abled at the same time, and to be created by moves of other sync-automata. 
The state space of the semantics of a sync-program is hence no longer finite, 
but it can be shown that such extended sync-programs can be translated 
into Place/Transition Petri nets, thus inheriting important decidability re- 
sults. The extension of sync-automata permits a wider class of biological 
systems to be described. However, from the practical point of view it has 
still to be assessed whether a new verification tool should be developed for 
the formalism, or there is some existing model checker for infinite state 
systems that could be efficiently exploited. 


As future work, we plan to extend our property preservation theorem 
to preserve all ACTL* properties in the way used in [23]. Moreover, we 
plan to improve our approach with a weaker notion of fairness, in the line 
of [2]. An ongoing work is giving a formal definition of the translation of 
sync-programs into a formalism similar to the input language of the NuSMV 
model checker. 

In [11] the authors consider a modular approach to quantitative model 
checking in a biological context. A quantitative extension of our framework 
would be desirable in order to describe the systems more precisely. Pre- 
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liminary ideas about a quantitative extension of sync-programs have been 
presented in [21]. 
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